![\"nmap\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image.png\")
<\/figure>\n\n\n\nWith a simple scan, we have ports 21, 22, and 8081. I do want to note that by default, Nmap only scans the top 10k ports unless you explicitly tell it to scan a different port range or all ports. This can be done with other switches when running your scan. You can see more of this on Nmap\u2019s website, https:\/\/nmap.org\/book\/man-briefoptions.html<\/a>.<\/p>\n\n\n\n Now, that we have scan results, we can start answering some of the enumeration questions in Task 2.<\/p>\n\n\n\n First up, what software is using port 8081. We can see that Node.js is using that port.<\/p>\n\n\n\n The next question asks what other non-standard port is being used. However, noting that the answer is 5 characters long, it appears that this is beyond the typical 10k port scan range that Nmap does by default. This means, we need to scan more ports.<\/p>\n\n\n\n We will need to submit another Nmap scan, but this time with an expanded port range. I\u2019m going to go ahead and scan all ports, just to be safe. This, unfortunately, takes longer to run just due to the amount of ports that Nmap has to check.<\/p>\n\n\n\n We will scan all ports with the switch -p1-65535. This tells Nmap to scan ports 1 \u2013 65,535. You could also use the switch -P- which would be easier to type. However, I chose to use the elongated version just to show the entire port range. Additionally, I\u2019ve used the -T 4 switch to change the timing to make the scan run much faster. A word of caution on this, running too high can cause issues and should be limited when used in any real production environment.<\/p>\n\n\n\n So our new scan will look something like this.<\/p>\n\n\n\n And we finally have our results back.<\/p>\n\n\n\n So, our other non-standard port is 31,331. We have the answer to question 2 in Task 2.<\/p>\n\n\n\n Question 3 is asking what software uses this port. Simple enough, it\u2019s Apache.<\/p>\n\n\n\n Question 4 then asks us what Linux Distro appears to be in use. From the results on port 31331, it looks like it may be Ubuntu. Entering Ubuntu nets us a correct answer.<\/p>\n\n\n\n Finally question 5 asks us how many routes from the REST API on port 8081 are used by the web application. For a quick reference, the below link talks about REST API routes and endpoints and the difference between them.<\/p>\n\n\n\n Routes and Endpoints | REST API Handbook | WordPress Developer Resources<\/a><\/p>\n\n\n\n For this one, we need to do some directory traversing on this to see what we can find.<\/p>\n\n\n\n For this, we will use Dirb.<\/p>\n\n\n\n Pretty quickly, we see \/auth and \/ping. So, we\u2019ll answer 2 for question 5.<\/p>\n\n\n\n Here it talks about a page to login. I did first check out the \/auth but got a message that I need to specify a username and password.<\/p>\n\n\n\n Let\u2019s revert back to some enumeration. What is one file most websites use to explicitly tell crawlers not to archive? Robots.txt. So, let\u2019s see if the site has that file and what may be on it.<\/p>\n\n\n\n I first tried this on port 8081 but got nothing. I then tried with port 31331.<\/p>\n\n\n\n So, we have a utech_sitemap.txt page. Let\u2019s have a look at it.<\/p>\n\n\n\n Visiting each page, I noticed that partners.html has a login screen.<\/p>\n\n\n\n A hint in the Task section notes that \u201cQuick and dirty login implementations usually goes with poor data management.\u201d<\/p>\n\n\n\n So, I loaded up BurpSuite and ran through checking the login process with admin\/admin. Just to see what the program does.<\/p>\n\n\n\n Here\u2019s what I found interesting.<\/p>\n\n\n\n After sending the credentials, the page also does a GET on the \/ping endpoint with the IP address of the CTF box.<\/p>\n\n\n\n When looking at the page source, I see the following JS files.<\/p>\n\n\n\n This calls the api.js which then calls the \/ping endpoint.<\/p>\n\n\n\n Exactly what we saw in the Burp request.<\/p>\n\n\n\n Manually going to the API endpoint and pasting the ping in nets us the below.<\/p>\n\n\n\n Ok, so for this one, this took me a bit, mainly because I got stuck with command substitution and using the wrong character.<\/p>\n\n\n\n In the JS file, it shows not a single quote, but a tic mark, if I\u2019m not mistaken. It\u2019s on the tilde key on your keyboard.<\/p>\n\n\n\n For context, I was trying to do something like the below, where you can potentially combine commands by using a separator. I tried using a semicolon to separate the ping command with the next.<\/p>\n\n\n\n I also attempted adding single quotes with the same type of command usage.<\/p>\n\n\n\n This also does not work because it won\u2019t process \u2018. It will, however, process `. Once I figured out that the tic mark worked, it was go time.<\/p>\n\n\n\n As we can see, in the response, it shows \u2018www\u2019. That is the current user we ran that command under.<\/p>\n\n\n\n Now, let\u2019s run an ls command to see what\u2019s in the directory.<\/p>\n\n\n\n This should be our answer to Task 3, question 1. The filename is utech.db.sqlite.<\/p>\n\n\n\n Question 2 in Task 3 asks us what the first user\u2019s password hash is. I\u2019m assuming this might be in the database file?<\/p>\n\n\n\n Let\u2019s try a \u2018cat\u2019 command to view the file itself.<\/p>\n\n\n\n A bit surprised that worked, honestly.<\/p>\n\n\n\n So, we will use the hash for root, to answer this question. That is, the numbers and letters immediately following root, up until the closed parenthesis.<\/p>\n\n\n\n Question 3 asks us what the password is with this hash. That means we need to crack the hash.<\/p>\n\n\n\n For this, I just googled \u2018Online Hash Cracker\u2019 and chose https:\/\/crackstation.net\/<\/a><\/p>\n\n\n\n Pasting in the hash and clicking crack, simple enough, and got us the password.<\/p>\n\n\n\n Now that we have our hash, we can move on to Task 4.<\/p>\n\n\n\n The last question asks for Root\u2019s private SSH key and the last 9 characters of it.<\/p>\n\n\n\n Since we do have root\u2019s credentials, let\u2019s see if we can login as root.<\/p>\n\n\n\n This actually hung me up a LOT longer than it should have. I did not notice that the username was r00t instead of root. Tricky, tricky. I was trying to login with the legit root account instead of r00t and it was obviously failing. <\/p>\n\n\n\n Let\u2019s ssh in as r00t, instead.<\/p>\n\n\n\n Now, that we are finally in. We can attempt to escalate privileges to actual root user.<\/p>\n\n\n\n Since I really like Linpeas, we are going to go ahead and grab it and run it on the CTF box.<\/p>\n\n\n\n First, we will start up our http server in my pywww directory where linpeas.sh is stored. This allows me to quickly host a web server and do a wget to pull the file on the victim machine.<\/p>\n\n\n\n As you can see from the above, the incoming GET request for linpeas.<\/p>\n\n\n\n Next, we give the script executable permissions and then run it\u2026<\/p>\n\n\n\n Look at that cute lil feller\u2026.<\/p>\n\n\n\n Right off the bat, we see that Sudo version appears to be vulnerable\u2026<\/p>\n\n\n\n https:\/\/book.hacktricks.xyz\/linux-hardening\/privilege-escalation#sudo-version<\/a><\/p>\n\n\n\n After some back and forth with this (and by some I mean quite a while), I decided to use the PwnKit vulnerability that Linpeas pointed also out further down.<\/p>\n\n\n\n![\"nmap](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-2.png\")
<\/figure>\n\n\n\n![\"That](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-1.png\")
<\/figure>\n\n\n\n![\"nmap](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-3.png\")
<\/figure>\n\n\n\n![\"dirb\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-4.png\")
<\/figure>\n\n\n\nTask 3<\/h2>\n\n\n\n
![\"robots.txt\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-5.png\")
<\/figure>\n\n\n\n![\"sitemap\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-6.png\")
<\/figure>\n\n\n\n![\"Burp](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-7.png\")
<\/figure>\n\n\n\n![\"api.js](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-8.png\")
<\/figure>\n\n\n\n![\"\/ping](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-9.png\")
<\/figure>\n\n\n\n![\"ping](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-10.png\")
<\/figure>\n\n\n\n![\"important](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-11.png\")
<\/figure>\n\n\n\n![\"attempted](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-12.png\")
<\/figure>\n\n\n\n![\"using](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-13.png\")
<\/figure>\n\n\n\n![\"whoami](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-14.png\")
<\/figure>\n\n\n\n![\"directory](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-15.png\")
<\/figure>\n\n\n\n![\"viewing](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-16.png\")
<\/figure>\n\n\n\n![\"Hash](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-17.png\")
<\/figure>\n\n\n\nTask 4<\/h2>\n\n\n\n
![\"ssh](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-18.png\")
<\/figure>\n\n\n\n![\"setting](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-19.png\")
<\/figure>\n\n\n\n![\"grabbing](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-20.png\")
<\/figure>\n\n\n\n![\"making](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-21.png\")
<\/figure>\n\n\n\n![\"linpeas\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-22.png\")
<\/figure>\n\n\n\n![\"Sudo](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-23.png\")
<\/figure>\n\n\n\n![\"Pwnkit\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-24.png\")
<\/figure>\n\n\n\n![\"Grabbing](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-25.png\")
<\/figure>\n\n\n\n
![\"root](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2023\/11\/image-26.png\")
<\/figure>\n\n\n\n